0

use fail2ban to block wordpress login attempts

Today while monitoring traffic on my server I noticed that there was 1 IP from UK that is keep accessing my server and generating noticeable amount of traffic. I did a quick IP lookup and netstat to find that the IP was accessing port 80 on my server. I then went to the httpd logs and searched for the IP and wala! it is trying to log into my wordpress site attempt after attempt.

Since I already have fail2ban running on my server I decided to look into using fail2ban to ban lots of failed attempts

looking at my logs I saw many lines like
xxx.xxx.xxx.xxx - - [24/Feb/2016:14:09:44 -0600] "POST /wp-login.php HTTP/1.0" 301 245 "-" "-"

So I created a /etc/fail2ban/filter.d/wordpress.conf

# wordpress auth filter
[INCLUDES]
before = common.conf

[Definition]
failregex = ^ .* “POST .*wp-login.php HTTP/.*” 200
ignoreregex =

add the conf to jail.conf

[wordpress]

port = http,https
logpath = %(apache_access_log)s

add the rule to jail.local

[wordpress]
enabled = true
filter = wordpress
action = iptables-multiport[name=wordpress, port=”http,https”]
logpath = /var/log/httpd/*access*log
bantime = 86400
maxretry = 5

Now test the rule
# fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/wordpress.conf

once verified restart fail2ban
# systemctl restart fail2ban.service

Verify
# iptables -vnL

its very easy to block other items as well as long as you can find the pattern from the log files.

Leave a Reply

Your email address will not be published. Required fields are marked *